Rapid7 Blog

Metasploit Wrap-Up

POST STATS:

SHARE

Data service improvements

The Payload UUID and paranoid mode Meterpreter payload and listener features were first introduced and added to many HTTP and TCP Metasploit payloads in mid-2015. These features provided three major enhancements for Metasploit payload use. First, they allowed the user to uniquely identify a generated payload, which is important when running social engineering campaigns. Second, they allowed the user to drop session connections without a known UUID. Third, they created a secure communication link between the payload and listener.

In late 2018, the team revisited Payload UUIDs with a focus on supporting the feature through the data service, thus allowing teams to more easily work from a single payload UUID source. Between PR #10675 and PR #11532, Erin Bleiweiss and Matthew Kienow shifted Metasploit's payload UUID tracking mechanism from a local file, ~/.msf4/payloads.json, to the Metasploit data service, allowing users to store and track UUID payloads in a local or remote database.

The change also opens the door for third-party integrations leveraging the payload UUID data through MSF5’s REST API. It is important to note that those currently using a payloads.json file for UUID tracking may need to remain on Metasploit 5.0.9 or earlier, the Metasploit 4.x branch, or regenerate their payloads while connected to a data service in order to use the new mechanism. The instance hosting the listener should also be configured to connect to the same data service used when the UUID payloads were generated.

As MSF5 becomes more widely used, the web service-related components are exercised further by our community, who diligently report their findings. Thanks to Ted R for noting an issue, which led to busterb opening PR #11533 to fix an issue where the createcrackedcredential method would incorrectly handle the result of a service lookup against the database. Also, thanks to Acidical for reporting an issue with msfdb, which led to Erin Bleiweiss opening #11525 to fix an issue with the msfdb reinit command in which the web service SSL key and cert (.pem) files were deleted regardless of the user answering “no” to delete existing data and configurations. Keep exploring the new features and reporting back if they don’t operate as expected!

GET Drupal

Drupal updated SA-CORE-2019-003 with PSA-2019-02-22 to inform users that a REST resource endpoint is also vulnerable, even if it only accepts GET requests. The exploits/unix/webapp/drupal_restws_unserialize module introduced in PR #11481 by Rotem Reiss and wvu exploits a vulnerability in Drupal RESTful web services that can cause arbitrary PHP code execution (CVE-2019-6340). Drupal versions 8.5.0 to 8.5.10 and 8.6.0 to 8.6.9 are vulnerable. It is important to note that Drupal caches GET responses and this can interfere with exploit success. If issues are encountered, clear the cache in a controlled test environment; otherwise, set another node ID.